From: Ed DeJesus [mailto:dejesus@compuserve.com]
Sent: Monday, October 13, 2003 1:10 PM
To: ed.dejesus@Baltimore.com
Subject: SECURITY WIRE DIGEST, VOL. 5, NO. 77, OCTOBER 13, 2003
SECURITY WIRE DIGEST, VOL. 5, NO. 77, OCTOBER 13, 2003
Security Wire Digest is a newsletter published by Information
Security, the industry's leading source of security news and
information.
For daily news, please visit our sister site, SearchSecurity
(http://www.searchsecurity.com).
IN THIS ISSUE:
*Exploit Code Targets Recent RPC Flaws
*nmap Gains Service Identification Features
*Group Pushes Cyber/Physical Security Integration
*P2P, Open SSL Make List of Biggest Internet Security Holes
*Tech Unit Examines Viruses for Authors' Identities
*SEC Links College Student to Illegal Trade
SECURITY PERSPECTIVES
*Microsoft Smears Lipstick On a Pig
MARKET MONITOR
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE DIGEST IS SPONSORED BY: DataPower XML Web
Service Security
XML Web Services security keeping you up at night?
XML Web Services present new security threats to the most
important apps. XML/SOAP was specifically designed to tunnel
through the firewall, requiring a new layer of XML-aware
security gateways to provide filtering, access control, XDoS
protection, XML DSIG and other essential security functions.
DataPower pioneered the hardware-based approach to XML Web
Services security, freeing its customers from software
install headaches and performance problems.
Click here for XML Web service security whitepapers and Webcasts on
XML security topics ranging from introductory to advanced
technical content.
http://www.datapower.com/m/isnl1013.html
=====================================================
*EXPLOIT CODE TARGETS RECENT RPC FLAWS
Long-anticipated exploit code targeting the most recent
Microsoft RPC vulnerabilities is circulating and may
compromise even patched XP systems. Other versions of Windows
might be vulnerable but haven't been tested.
"This code is a universal exploit, which means that it can be
used against any version of Windows that is not patched,"
says Aaron Schaub, a security analyst at intelligence firm
TruSecure. "However, there have been unconfirmed reports that
it will still work against Windows XP SP1 even with all
additional security updates installed."
The code exploits a slight variant in the RPCSS (the Remote
Procedure Call portmapper, which directs traffic for
different services using RPC) vulnerability documented in
Microsoft Security Bulletin MS03-039.
Experts report seeing increased activity on TCP port 135,
which is associated with the vulnerable service.
If the exploit works against fully patched Windows XP
systems, the best defense against the attack is to turn off
the service, if possible. Windows XP uses this service
extensively and turning it off isn't a viable option in many
situations. If the service can't be turned off, the use of
firewalls or access control lists to restrict access to
vulnerable systems can reduce the chances of attack, says Schaub.
A patch was released to correct the "Buffer Overrun In RPCSS
Service Could Allow Code Execution" (MS03-039)
vulnerabilities; which deal with RPC messages for DCOM
activation. According to Microsoft, two of the flaws could
allow arbitrary code execution; and the third could result in
a denial of service. The flaws affect Windows NT
4/2000/XP/Server 2003 and result from incorrect handling of
malformed messages.
Many security experts have speculated that the release of a
worm using this code could come at any time. In August, the
prolific Blaster worm ripped through networks worldwide by
exploiting a similar RPC/DCOM vulnerability for which a patch
had been released more than three weeks before.
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
*NMAP GAINS SERVICE IDENTIFICATION FEATURES
How can nmap, the popular network port scanning utility, top
its appearance in "Matrix Reloaded" under the able fingers of
Carrie-Anne Moss? By adding features such as optional
detection of services, including version number.
The new version of nmap improves its prowess at exploring
networks and supporting security audits. Nmap can still scan
ports in stealth mode, rapidly pinging multiple hosts in
parallel to test which ones are available.
"The big news for the recent release is a new version
detection capability to determine what service protocol is
running on a port," reports Fyodor Vaskovich, CTO of
Insecure.org. "In many cases, it can determine the
application name and version number as well." This is
especially useful for administrators of the "security by
obscurity" school who assign non-default ports to services.
Nmap can also handle SSL encryption and support IPv6.
Nmap is available for Windows and many UNIX flavors (plus
handhelds like HP's iPAQ and Sharp's Zaurus), in both GUI and
command-line modes. No word yet on whether the new nmap will
have a role in "Matrix Revolutions." http://insecure.org/nmap
*GROUP PUSHES CYBER/PHYSICAL SECURITY INTEGRATION
A plan to consolidate physical and cybersecurity information
is currently being reviewed by the Security Industry
Association's (SIA) Standards Committee.
Called the Physical Security Bridge to IT Security
Specification (PHYSBITS), Forrester analyst Steve Hunt says
such integration is "onerous to impossible. It's almost
impossible to perform anything other than aggregation of
events or comparing physical intrusion event data to logical
intrusion event data."
PHYSBITS was created by the Open Security Exchange (OSE), a
group of security manufacturers and suppliers--founders
include Computer Associates, Tyco and smart card
companies--formed to push new cyber/physical security
standards, or simplify existing ones. OSE Executive Director
Eric Maurice says that within eight months OSE should release
data standards.
The ultimate goal is to close the gap between physical and
cybersecurity practices. For example, while a large number of
closed-circuit surveillance cameras available today transmit
video via IP networks, they don't transmit or store
information in a standard way, making it tough to tackle "the
vulnerabilities...the risks related to session hijacking [or]
authenticating to this camera," says Maurice. PHYSBITS would
give companies a way to enforce a total security policy.
Hunt, who recently joined the OSE board, notes that "it's
initiatives like OSE that will move us toward a more
efficient and effective security architecture."
http://www.opensecurityexchange.org/press/pr20031002.html
=====================================================
*ADVERTISEMENT*
STOP SPYWARE. RECLAIM BANDWIDTH. PROTECT YOUR DATA.
Spyware knows no boundaries. It infiltrates enterprises,
stealing confidential data and using up network bandwidth.
Now you can stop spyware and reduce help desk calls with a
single solution: Integrity. To learn more, download Zone
Labs' FREE white paper, "How to Stop Spyware."
http://altfarm.mediaplex.com/ad/ck/2955-16655-6930-0
=====================================================
*P2P, OPEN SSL MAKE LIST OF BIGGEST INTERNET SECURITY HOLES
Peer-to-peer file sharing and Open SSL are finally getting
their due--landing on this year's Top 20 Most Critical
Internet Security Vulnerabilities list created by the SANS
Institute. Others, like Microsoft's IIS Server and Unix's
Sendmail, are more obvious entries since they are among the
computing world's most popular programs.
The recently released list is intended to help security
managers prioritize their own security programs by seeing
what security experts worldwide deem the biggest threats
requiring immediate attention.
Other vendors have their own vulnerability lists, but the
SANS rundown focuses on flawed services, applications and
practices, rather than malware that exploits them. Its
authors have also compiled a detailed analysis of how
specific vulnerabilities affect each service.
"The list can be used as a benchmark to measure one's
security against," said Gerhard Eschelbeck, VP of engineering
at Qualys, which offers a scanning tool for finding
vulnerabilities. "There are 20 classes of vulnerabilities in
the SANS list, which represent over 300 specific vulnerabilities."
There are plenty of new vulnerabilities on the list,
including in Outlook and Outlook Express. But given the
publicity surrounding exploits of these programs, their
inclusion isn't surprising.
Also included are programs like Windows Remote Access
Services, which include flaws in Remote Procedure Calls (RPC)
that spawned the Blaster and Nachi worms this summer. RPC was
also highlighted on the Unix list, as was Sendmail, the BIND
Domain Name System and the Apache Web server.
For a complete list and remediation tips:
http://isc.sans.org/top20.html
*TECH UNIT EXAMINES VIRUSES FOR AUTHOR IDENTITIES
We already know that virus and worm code sometimes reveals
telltale details about its author. Now a British crime unit
wants to see if these writers have links to terrorist organizations.
Britain's National High-Tech Crime Unit (NHTCU) has been
working with antivirus vendors to examine malicious code for
clues as to who or what the malware is targeting. In
particular, NHTCU wants to know if there's a link between
cyberattacks and extremist groups, according to news reports.
The group will be hard-pressed to find any answers, says
Graham Cluley, senior technology consultant for antivirus
vendor Sophos.
Despite the 85,000 viruses in existence, notes Cluley, "there
have been very few virus writers actually caught," and then
it's usually because of malware-writer stupidity. For
example, accused Blaster variant writer Jeff Parson, 18, of
Minnesota reportedly left his Web site address in the code.
"This idea that we would look in the code and see if it was
written by a terrorist or teenager is very hard to
do...there's nothing that 's going to say copyright Al-Qaeda
2003." And if it does, is it true? asks Cluley.
The NHTCU was unavailable for comment on its motives or
methodology. But Det. Chief Superintendent Len Hynds, who
heads the unit, told Reuters news service, "It's a tactic
that could be utilized. We've seen legitimate programs used
in a way that allows people to have remote access to
compromised systems. And similarly, viruses, Trojans and
worms can be used by organized crime to launch attacks."
*SEC LINKS COLLEGE STUDENT TO ILLEGAL TRADE
Using a Trojan keystroke logger and an investor's
gullibility, federal prosecutors say a Pennsylvania college
student hatched an elaborate scheme to break into an online
brokerage account to sell Cisco Systems stock options before
they expired.
"We have never brought a case like this one," John Reed
Stark, chief of the SEC's office of Internet enforcement,
told The New York Times. The SEC says this is the first known
case of securities fraud prosecution involving computer
hacking and identity theft allegations.
In papers filed last week, investigators say Van Dinh, 19, of
Pheonixville, Pa., offered members of an online stock
pickers' forum a software program to help with stock charts.
But the program was actually a monitoring tool that captured
keystrokes and allowed Dinh to gain access to a Massachusetts
investor's online brokerage account, authorities said. Dinh
then allegedly cleaned out the account, using its nearly
$47,000 to buy his own Cisco options and avoid $37,000 in losses.
"He essentially guaranteed there was a marketplace for the
options that he sold, at least some of them," Stark told the
Associated Press. SEC investigators said Dinh used ISPs in
Europe and Australia, as well as an anonymizer, to hide his
identity but still left evidence that led to his arrest. "No
matter how many steps someone takes to cover their tracks,
there are just too many trails," Stark said.
=====================================================
*ADVERTISEMENT*
OPTIMIZE AND SECURE YOUR ENTERPRISE NETWORK - FREE
Time's running out - don't miss your chance to gain
complimentary admission to "Networking Decisions: Optimize
and Secure Your Enterprise Network." Sponsored by Information
Security magazine, the conference arrives in Atlanta November
5-7 for three days of proven network security expertise. Top
speakers from Gartner, Forrester Research, Yankee Group and
more deliver unbiased insight. Information and registration:
http://networkingdecisions.com/?Offer=swdnd
======================================================
SECURITY PERSPECTIVES
*MICROSOFT SMEARS LIPSTICK ON A PIG
by John Hogan
In the run-up to last week's Worldwide Partner Conference,
Microsoft sent out the top guns from its enterprise
management division to get the community juiced about
Redmond's "securing the perimeter" initiative.
Well, you can smear lipstick on a pig, but it's still a swine.
Despite CEO Steve Ballmer's promises during his keynote
speech Thursday in New Orleans, it doesn't appear that
Windows will be substantially more secure anytime soon.
It's a sign of progress that Microsoft freely admits that
patches are a feeble way to secure computer systems. It's
also nice that the company will dedicate a Web site to
security issues and update the free Software Update Services
(SUS) tool. And it's dandy that it will tell OEMs to ship
XP-based machines with the Windows Internet Connection
Firewall (ICF) turned on. But Microsoft is being disingenuous
if it expects its customers and partners to believe that
these are anything more than stopgap measures.
And Gartner isn't very chipper on the subject of Windows.
CNET reports that the research firm planned to issue a report
last week that adds its voice to the chorus crying out about
the dangers of worldwide reliance on Microsoft software. The
Gartner report is expected to urge businesses to diversify
their desktop software or get swept up in an inevitable
"cascading failure" caused by an Internet worm or virus.
Ballmer needs to adopt a more conciliatory approach.
Reasonable people understand that software security isn't a
problem that can be solved overnight. If Microsoft is up
front about its challenges, it might be rewarded with a little slack.
John Hogan (mailto:jhogan@techtarget.com) is the news editor
for SearchWin2000.com, our sister site, which covers the
enterprise Windows platform.
Read the entire editorial:
http://searchwin2000.techtarget.com/columnItem/0,294698,sid1_g
ci931636,00.html
=====================================================
MARKET MONITOR
Market Monitor is a weekly stock performance review of select
information security companies. The prices indicated reflect
the official close and don't reflect after-hour trading.
COMPANY/SYMBOL....................10/03.....10/10.....Change
Aladdin/ALDN......................7.84......8.58......9%
Blue Coat Systems/BCSI............12.06.....14.99.....24%
BMC Software/BMC..................13.95.....14.81.....6%
Computer Associates/CA............26.96.....23.01.....-15%
Check Point/CHKP..................17.88.....17.92.....0%
Cisco Systems/CSCO................20.76.....20.8......0%
3Com Corp./COMS...................6.65......6.8.......2%
CyberGuard/CGFW...................11.21.....11........-2%
Datakey/DKEY......................0.72......0.78......8%
Enterasys/ETS.....................4.15......3.98......-4%
Entrust/ENTU......................4.33......4.65......7%
Hifn/HIFN.........................8.29......8.65......4%
Hewlett-Packard/HPQ...............20.3......21........3%
IBM/IBM...........................90.64.....92.68.....2%
Identix Inc./IDNX.................6.........5.83......-3%
Internet Sec. Sys./ISSX...........13.21.....14.11.....7%
Intrusion Corp./INTZ..............0.86......0.93......8%
Lucent Technologies/LU............2.22......2.35......6%
Netegrity/NETE....................11.54.....12.61.....9%
NetScreen/NSCN....................22.16.....23.43.....6%
Network Associates/NET............14.87.....14.91.....0%
Novell/NOVL.......................5.82......5.99......3%
Red Hat/RHAT......................10.45.....10.85.....4%
Rainbow/RNBO......................9.74......10.71.....10%
RSA Security/RSAS.................15.77.....16.5......5%
SafeNet/SFNT......................38.31.....39.99.....4%
Secure Computing/SCUR.............12.2......12.72.....4%
SonicWALL/SNWL....................6.17......6.8.......10%
Symantec/SYMC.....................65.5......64.73.....-1%
TippingPoint Technologies/TPTI....15.4......17........10%
Trend Micro/TMIC..................22.4......25.6......14%
Tumbleweed/TMWD...................6.32......6.5.......3%
Unisys/UIS........................13.89.....14.2......2%
Vasco Data Sec./VDSI..............2.67......2.84......6%
VeriSign/VRSN.....................13.98.....14.6......4%
Wave Systems/WAVX.................2.78......2.95......6%
WatchGuard/WGRD...................5.33......6.18......16%
=====================================================
Security Wire Digest (BPA E-Mail Audit Report, June 2002*) is
an e-mail newsletter brought to you on Mondays and Thursdays
by Information Security magazine. Questions or comments
should be e-mailed to Shawna McAlearney, online editor,
mailto:smcalearney@infosecuritymag.com.
=====================================================
Security Wire Digest is published by Information Security, a
TechTarget publication.
Copyright (c) 2003, Information Security and TechTarget. No
reuse or redistribution without the express written
authorization of Information Security and TechTarget. To
obtain reuse permission, contact Larry Walsh
(mailto:lwalsh@infosecuritymag.com).
*A copy of the BPA
Audit is available for download at:
http://www.bpai.com/library/statement_files/s3> 43h0j2.pdf
=====================================================
To SUBSCRIBE to Security Wire Digest, go to:
http://infosecuritymag.bellevue.com
To UNSUBSCRIBE from
SecurityWire Digest, go to:
http://infosecuritymag.bellevue.com/USL.asp?> EM=dejesus@compuserve.com
To OPT OUT of third-party mailings, go to:
http://infosecuritymag.bellevue.com/US.asp?E=dejesus@compuserv
e.com
To CHANGE your e-mail address, go to:
http://infosecuritymag.bellevue.com/CEL.asp?EM=dejesus@compuserve.com
To subscribe or renew your existing subscription to Information Security
magazine, print edition, please go to: http://www.submag.com/sub/is